Privilege escalation (PR)/RCE from account through AWM view sheet

Steps to reproduce:

1. As a user without script or programming right, edit your user profile (or any other document) with the wiki editor and add the content

   {{groovy}}println("Hello " + "from Groovy!"){{/groovy}}
   

2. Edit the document with the object editor and add an object of type AppWithinMinutes.LiveTableClass (no values need to be set, just save)
3. View the document

Expected result:

An error is displayed that the user cannot execute the Groovy macro.

Actual result:

Below "Entries", the text "Hello from Groovy!" is displayed, showing that the Groovy macro has been executed.

This demonstrates remote code execution and privilege escalation from a simple user account with only edit rights on the own profile.

The reason for this is that AppWithinMinutes.LiveTableViewSheet uses a hack for including the document's content that aims to securely include the document's content to work around XWIKI-5027 but after fixing XWIKI-5477, this hack is no longer secure but executes the document's content with the sheet's rights. This is also where the affects version comes from.